Part 65: My vCloud Journey Journal: Pre-Requisites for vCloud Automation Center 5.1
Note: There’s quite few components to vCAC that need to be installed and configured. I intend to update the post as learn more.
UPDATE: After writing this post I came across a script that can handle all the pre-reqs for vCAC. It’s on Randy Stanley’s blog killerclouds.com as part of his blogpost “VMware vCAC 5.1 Install Process – Overview“, specifically his PowerShell script is here.
I went down to the crossroads (to quote Robert Johnson), and decide to take the turning to the right. I’ve been working solidly with vCloud Director since August of last year. But there is more to our vCloud Suite than single product, so I’ve decide to turn my attention to another product in the suite vCloud Automation Center. So I’ve downloaded all the PDFs, and I’ve managed to get hold of the “Foundation Training” manual, but I’m not due to attend the course until June. I’m getting married in a couple of weeks, followed by a honeymoon in Venice – so that sort of made attending courses and such like in late April and early May an impossibility.
Not to be outdone, I thought I would dip my toes in. I figure if I’m to have any chance of following the manual for the course in my own time I’m going to need an instance of vCAC up and running. But before I do that I must broker the whole issue of how one handles the product name. There seems to be to approaches – spelling out each letter in turn “VC-AC” as if you were making a reference to the rock group “AC-DC” or merely dispensing with the whole v-business altogether and saying “Cloud Automation Center”. Personally, I quite like “VC-AC” it has nice ring to it… Personally, I think ALL our products should start with a small v. It would make finding them on the A-Z list of technologies – just click at V and you’ll find them all there. 😉
A quick looks at the official admin guide shows the task before me – It is entirely possible to create one big Uber Windows instance and run the whole thing on single VM . But I want also to be realistic – and have the option to do configurations that will require redundancy and resiliency One of my experiences of the last 20 years in IT is the more software you shoe-horn into the same OS the more conflicts – plus separate instances allow you keep the structure of the product in your head.. So looking at the diagram below I’m already thinking at least 5 VMs for the Web-Server, vCAC Server, MS-SQL Database Server, The vCAC Agent and the DEM…
The bare minimum setup involves installing the vCAC server itself, which contains the DEM Orchestrator role together with a DEM Worker instance. DEM stands for “Distributed Execution Manager” – and orchestrator controls when tasks occur and the worker carries them out. The “Agent” component basically connectors to the “Provisioning Infrastructure” – that’s a generic term for stuff like VMware ESX, Citrix XenServer, Microsoft Windows Hyper-V and perhaps even physical systems. As you can see vCAC is very like one those 3-tier applications we often to talk about when think about deploying a typical enterprise application. Each one of these components has its own role and purpose – and form the installation guide I was able to get a thumb nail sketch of their purposes.
Web-Server: Use Windows 2008/IIS7 as do many of the components in vCAC. Holds the portal/reports and model manager roles. The portal is your front-end to the vCAC information which it collects from vCAC Server, Agents and the DEM Worker via the Model Manager. The Model Manager allows for secure multi-tenancy, and gives the administrator a view in the data held in vCAC – and allows the admin to specify workflows and when they should run. You’ll notice there’s also a reporting website role as well.
vCAC Server: Holds the core engine. The Model Manager in the web-server speaks to the Model Manager in the web-server, and collects data from the Agents and the DEM, and reports that back into the web-service.
Database Server: Stores you configuration, created during the installation. Although you can create the DB manually if you so wish.
DEM (Distributed Execution Managers) – Runs the workflows defined within vCAC. Contains two sub-roles called Worker or Orchestrator. One does the execution, and other monitors the execution progress.
Agents – These are the gateway to your external virtualization compute resources (VMware, Citrix, Microsoft) as well as offering support physicalization (that’s one of my catchphrases!) which allows for the provisioning of physical machines, as well as virtual machines. Other agents include ones that allow you to use WMI and deploy virtual desktops into using the Citrix Desktop Delivery Controller for XenDesktops.
There are some optional component as well including a vCAC Designer and a Development kit. The first creates a GUI front-end for customizing workflows, and they both contains a command-line tool called “cloudutil” and the second contains plug-in for Visual Studio.
Some Pre-Requisites Observations:
A quick read of the pre-requisites a couple of key points jump out at you right away.
Firstly, vCAC has system of “Authentication Stores” which is rather grand way of talking about different locations of sources of users and groups – they can be file, SQL or AD based. With File based users/groups are stored in .XML file on the vCAC server (which is really only useful in quick evals), SQL means the users/groups are stored in vCAC backend database – and AD well the users/groups come from Active Directory. If you choose the AD option you have to go through a pre-preparation phase before starting the installation off – using the AzManUtil.zip utility.
Secondly, vCAC requires Microsoft SQL server. No other databases types are supported. You can have the installation create the DB and assign the rights or you can manual create the DB.
Thirdly, by default vCAC uses HTTPS for communication. As I understand it they can be configured for non-secure, but HTTPS is the default – that means having a trusted certificate for each component – its either HTTPS through out or non-at-all. If you running a more distributed model like I am that means certificates for each node, but if you creating a Uber-vCAC that holds all the roles it means one certificate request to cover the whole shooting match. I’m lucky in the sense that I run a Enterprize Root CA in my lab on a Domain Controller – so requesting certificates from it from IIS should be easy. That’s how first got started with certificates back in my NT4.0 days…
Fourthly, you think you have disabled Microsoft Firewall but you haven’t. The vCAC has “Pre-Requisities” checker tool held in the /tools directory which scans your Windows install to see if all is right and proper in the world. To make my own life simple I often disable Microsofts Firewall. However, the checker kept on saying the Firewall was still active. Giving me a Yellow Tick next to the entry. I found the only way to clear this entry was to google and use some command line tools – so ran:
netsh advfirewall set allprofiles state off
This command ultimately did the trick (after a reboot – it is Windows remember!) and the component checker passed all the requirements.
Checking your per-requisities:
According to the install guide the setup.exe will actually create a database for you from the installation – that’s a nice option for noobie like me who just wants to stand the product up with minimal effort.
vCAC downloads as .ZIP file in the /tools director you should find a DCACPrereqCheckerInstaller.msi which will examine the VMs you’re installing to verify the meet the requirements. I decided to summarize the changes I made to my default builds of Windows to get the product setup. So when I came to read this post again. I could just read the summary!
- NET 4.0 Framework
- IIS with Metabase compatibility.
- Configure MS-DTC Security Settings.
This failed almost immediately because I didn’t have .NET Framework 4.0 installed – additionally for it function fully you will need the IIS component enabled even on the SQL Server – The SQL server actually requires the IIS Server Metabase Module enabled to be supported. I ran the PreReq Checker against just the “Database” options – it flagged up two issues – firstly the IIS Server Metabase Module was not installed, and the Microsoft DTS was incorrectly configured
IMPORTANT: Notice the “Fix” button. If it there’s a piece of missing software – the “Fix” button will install it for you – saving you bags of time. But, the Fix button does not handle post-installation tasks such as enabling security settings on MS-DTS or Authentication settings in IIS. Those you must handle yourself.
Open the Server Manager application, switched to the “web-server” role, used the “Add Role Services” add in the IIS MetaBase support.
To handle the MSDTC issue – I need to review the security options – in the “Component Services” MMC and under Security of the “Local DTC” – I enabled “Network DTC Access” and “Allow Remote Clients” for both Inbound/Outbound access with “Mutual Authentication required”.
A re-run of the checker then successfully passed the database configuration:
- NET 4.0 Framework
- IIS with Metabase Compatibility
- Configure MS-DTC Security Settings
- Start the Secondary Logon Service with the Services. MMC
The vCAC server has the same requirements as the database server – MSDTC and the IIS Server Metabase Module that is added as part of IIS on Windows 2008. As I understand it the vCAC server can also run the “DEM Orchestrator” role as well. This thew up the an issue with the Windows Firewall and MS-DTC as with the database server. The Firewall alert was an odd one – it’s turned off in Windows, and even after allowing MS-DTC to the Firewall (which isn’t switched on!) the checker still flagged it as an issue. Mmm. I decided to ignore the checker at this point and assumed it was wrong, and I was right. Dangerous I know. 😉
What was new was the requirement for the Secondary Logon Service during the install period. Apparently it can be turned off once the installation has been completed.
Enabling the Secondary Login Service was a breeze – I started the service, and set it to start automatically. Just in case between now and kicking of the install the vCAC was rebooted. I made a mental note to undo this configuration change once I was satisfied the install was complete.
- NET 4.0 Framework
- IIS Role with Metabase Compatibility – as well as ASPNET, ISAPIExtensions, ISAPIFilter, HTTP Redirection Service
- Configure MS-DTC Security Settings
- Enable Windows Process Activation Feature
- Enable .NET 3.5 Frame work Feature.
- Enable Windows Authentication on Default Web Site in IIS
- Disable Anonymous Authentication on Default Web Site in IIS
- Ensure the Negotiate for Authentication Providers in the Default Web Site in IIS is properly enabled
- Toggle Windows Authentication Advanced Settings from off to accept, and back to accept again!
- Enable the Secondary Logon Service
As with both the vCAC and Database roles – the MS-DTC security settings need to be configured, and IIS with Metabase. Additionally, however on top of standard IIS configuration. You need to include IIS Authentication and IIS Windows Process Activation options as well. This is straight cut & paste from the admin guide.
Core IIS Modules:
Items marked with a * means an additional component is added during the “Add Role Services”
- Windows Authentication enabled
- AnonymousAuthentication disabled
- Negotiate Provider enabled
- NTLM Provider enabled
- Windows Authentication Kernel Mode enabled
- Windows Authentication Extended Protection disabled
IIS Windows Process Activation Service roles*
Items marked with a * means an additional component is added during the “Add Role Services”. The others meant to some sort of configuration was required in IIS. Sure enough, the PreReq checker picked all of these up when I was ticking off the web-based components (Model Manager, Website, Self-Service Portal Web-Site).
As you can see there’s quite a bit missing. I found it best to collapse each role (website, ModelManager, Self-Service Install) and then re-run the checker until I got a green light on each one.
The ModelManager Website:
1. Enable the Windows Process Activation Service feature
2. Configure the Authentication Settings in IIS.
This required me to open Server Manager, +Features and Add Features to add the Windows Process Activation Service.
Of course. With some many components to enable it became easier just to get let the Pre-Requisite Checker fix the issue. This works fine for missing software, but when it comes to specific configuration options – you will need to read the relevant advice.
Next I had a number of authentication settings to be configured in IIS including Enabling Windows Authentication and Disabling Anonymous Authentication
Apparently there’s situation where the Windows Authentication provider is not correctly included in IIS for the Default Website. The recommendation is check the providers – removing “Negotiate” and adding it back in again – ensuring it is the first provider.
Next under “Advanced Settings” for Windows Authentication – toggle the setting from Off to Accept, back to Off again.
For this component I needed to include the HTTP Redirection Module:
…and as with the vCAC pre-requisites enable the Secondary Logon Service.
…again this only need during the duration of the installation.
By fulfilling all the pre-requisites of the first two services, I found I’d met all the pre-requisites of the Website Install.
The DEM work share’s some configuration requirements with the other roles but compared to the others is quite straight forward.
- NET 4.0 Framework
- Windows PowerShell 2.0
- Secondary Logon Service
As you can see it took me a while to meet all the pre-requisites of vCAC – it took me nearly a day to provision the VMs; install the pre-requisites; run the checker; and write this blogpost! In the end I took my base build and exported out as an .OVA file – so if I ever needed to do this again – I wouldn’t. The other thing I decided to try to do is build a tandem configuration that was one single vCAC instance with all the pre-requisites in place. I know some of my colleagues in the vCAC team have VMs preconfigured to all of this in a single VM instance – so it must be possible. I’m assuming that 1 Uber-Windows instance would have a smaller memory footprint compared to an array of Windows instances which is what I ended up with. It’s shame that this is all built upon Windows – as that prevents me building this Uber-vCAC on Linux, and then distributing it at as an OVA/OVF. But I guess that’s true of Windows versions of VMware View and vCenter…
Given what I learned in meeting the pre-reqs on a per-role basis. I figured for the Uber-vCAC which would be used in a homelab – a simple installation which involved just installing the vast majority of products (like the whole of IIS) would be best. I decided against running something like Microsoft SQL Express on the same box, although that would be totally viable I think. I decided to keep the DB as separate instance mainly because
Here’s my checklist:
1. Base Windows 2008 Template
2. Join to domain
3. Disable Firewall with netsh advfirewall set allprofiles state off
4. Install IIS Role with HTTP Redirection, Windows Authentication, and II6 Management Compatibility
5. Install .NET 4.0 Framework (for the Pre-Requisite Checker)
6. Enable .NET 3.5.1 Feature
7. Enable Windows Process Activation Service Feature
6. Start the Secondary Logon Service; Configure MS-DTC Security
7. Install the Pre-Requisite Checker
8. Work through the remain configuration tasks – which centre around settings for authentication in IIS.
At the end of this process I took template clones of all the VMs, so should I want to install vCAC from scratch I’d at least have the pre-requisites in place.